CVE-2023-7303

The vulnerability exists in the process_request function of q2apro-onsitenotifications-page.php in the q2apro-on-site-notifications plugin (up to version 1.4.6). The plugin constructs notification messages by extracting portions of event parameter strings. These extractions were performed using substr without any sanitization, directly embedding the raw content into the notification output. The commit [1] shows that the fix wraps these substr calls with qa_html(), which applies appropriate HTML encoding.

The attack is remotely exploitable without requiring authentication, as the plugin processes notification events that can originate from other users' actions on the Q2A site. An attacker can craft a message, wall post, or other event content that includes malicious HTML or JavaScript. The unsanitized notification is then rendered in the notifications inbox of other site users, achieving stored cross-site scripting (XSS) [2][3].

A successful exploit allows the attacker to execute arbitrary script in the context of a victim's browser session. This can lead to session hijacking, defacement, or phishing within the Q2A site. The CVSS score of 3.5 reflects the need for the attacker to create or cause an event with malicious content, and the confidentiality/integrity impact being partial but requiring user interaction.

The issue is resolved in version 1.4.8 [1]. The patch commit (0ca85ca02f8aceb661e9b71fd229c45d388ea5b5) applies HTML encoding to all event message extractions [1]. Users are recommended to upgrade to the latest version.